Covered entities are permitted to disclose protected health information (PHI) to public health authorities or other agencies that are authorized by law to collect or receive such data. No authorization from the patient is needed.

Covered entities are generally obligated to limit disclosures to the minimum necessary to accomplish the public health purpose(s). Routine, recurring disclosures will typically be governed by institutional policies and procedures that aim for this standard. Covered entities may accept the representation of a public health authority that any particular disclosure is the minimum necessary.

Public health authority is defined under HIPAA as "an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate."

Such disclosures may relate to

• the reporting of diseases or injuries;

• "vital events" such as birth or death;

• reporting of child abuse or neglect; or

• the conduct of public health surveillance, investigations, and interventions.

Such disclosures are typically governed in detail by state laws, and are made to state public health agencies. These activities are not preempted by HIPAA. Note that at the direction of a public health authority these disclosures may also be made to an official of a foreign government agency engaged in a collaborative effort.

Disclosures to the Food and Drug Administration (FDA), or to individuals or corporate persons subject to the jurisdiction of the FDA, are permitted for purposes related to the quality, safety, or effectiveness of FDA-regulated product or activities. These include:

• collecting or reporting adverse events (or similar activities regarding food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations;

• tracking FDA-regulated products,

• enabling product recalls, repairs, or replacement, or for lookback (including locating and notifying persons who have received products that have been withdrawn, recalled, or are the subject of lookback), and

• conducting post-marketing surveillance.

Note that the reporting of adverse events and other problems is not restricted to the FDA or persons subject to the jurisdiction of the FDA. A covered entity may disclose PHI to any public health authority that is authorized to receive or collect a report on an adverse event. In addition, to the extent an adverse event is required to be reported by law, the disclosure of PHI for this purpose is also permitted.

Disclosures are permitted to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to make such notifications.

Disclosures may be made to an employer, about an individual who is a member of the workforce of the employer, in the following cases:

• the covered entity is a covered health care provider who is a member of the workforce of such employer or who provides a health care to the individual at the request of the employer to conduct an evaluation relating to medical surveillance of the workplace; or to evaluate whether the individual has a work-related illness or injury;

• the PHI that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance; or

• the employer needs such findings in order to comply with its obligations, under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under state law having a similar purpose, to record such illness or injury or to carry out responsibilities for workplace medical surveillance.

In such cases, the covered health care provider must provide written notice to the individual that PHI relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer, by giving a copy of the notice to the individual at the time the health care is provided, or, if the health care is provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care is provided.

If the covered entity is also a public health authority, it is permitted to use PHI in all the ways described above, for which it is permitted to disclose PHI to other public health entities.

See also:

• 45 CFR 164.512(b)
• OCR HIPAA Privacy Guidance: Disclosures for Public Health Activities (3 Apr 2003)

  Last modified: 12-May-2005 [RC]